Microsoft States Full TCP/IP Too Dangerous

daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."

News Flash: Butter is good on toast!

[TripMaster Monkey]

News Flash: Butter is good on toast!

From the Article:

"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers to launch massive distributed denial of service attacks," Microsoft warned in a statement to ZDNet Australia .

Interesting that M$ sees fit to lecture us on the dangers of raw sockets now, given their prior stand on the issue. [grc.com]

Ulterior motives

[bmw]

It's quite obvious that Microsoft has other motives for doing this as this really doesn't do anything to improve security. As was quoted in the article, Fyodor correctly points out that Windows (AFAIK) is the only operating system to put such restrictions on raw sockets and it certainly has not helped their dismal security.

Of course, there's always the possibility of ignorance...

Never attribute to malice that which is adequately explained by
stupidity.

but I really have to doubt that Microsoft is quite this dumb. They've got a lot of really tallented people working there so you have to think that someone would have thought about this. Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Going back on their word

[jelevy01]

Wow, talk about going back on their word. Anybody remember of GRC.COM had this concern before XP came out? He did all the yelling and screaming that he could and MS just laughed at him. Guess he gets the last laugh. [grc.com]

Responding to Steve Gibson

[darylb]

Microsoft is just responding to Steve Gibson [grc.com], of Gibson Research, who has hounded them for making raw sockets accessible to all programs in the past.

raw sockets+MS?!

[quetzalc0atl]

are they kidding?

if you are mucking with protocols by using raw sockets, are you really going to be coding it on a windows platform? i can imagine a worm or trojan doing it perhaps - in a ddos scenario - but since when has raw sockets become the red-headed stepchild implicated in this?

FMEA

[millahtime]

Failure Modes and Effects Analysis... I would love to see that done on windows. Maybe find the problem itself rather than work around it and leave the faulires in there. Bad by design.

Not disabled in Windows Server

[figleaf]

Raw Sockets are not disabled at the server versions.
Under Windows 2003, programs with admin privleges can use Raw sockets.

So when...

[RailGunner]

So, they're going to re-disable raw sockets? I'd suggest that the IP implementation on SP2 is broken already. For example - when will you be able to send more than 8K in a single packet using a Java Socket on Windows XP Service Pack 2?

String sString = "Some string more than 8K";
Socket client;
PrintWriter sock_out;
try
{
client = new Socket (InetAddress.getByName
("127.0.0.1"), 5678);
sock_out = new PrintWriter
(client.getOutputStream(), true);
sock_out.flush();
sock_out.println (sString);
sock_out.close();
client.close();
}
catch (EOFException eof)
{

}
catch (IOException e)
{

}

Try it yourself - see if you can receive more than 8K in a recv() call in Windows XP SP2. You can't.
If you do the same on Linux or OS X, you can. On Windows XP SP1, you can.

Thanks, Microsoft.

this wont make a bit of difference...

[quetzalc0atl]

...since the admin can always write packets (in frames)directly to the layer 2 driver. all they are doing is breaking the BSD sockets API - security through obscurity? right....

Replacement

[Mr_Silver]

As soon as I saw this, it made me rememeber this article [pbs.org] by Cringely (written in August 2001) which discusses the "problem" of raw sockets.

From it:

According to these programmers, Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I'll call it TCP/MS.

How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.

Food for thought.

Re:Baby, meet bathwater.

[shird]

Or perhaps if you are going to write apps that require such low level network access, you should be using a packet driver (or whatever the mechanism is in windows) to do that.

The same can be said for any access to hardware that could be considered unnecessary for typical applications or 'harmful' to the hardware (harmful in the sense that it is 'harmful' to the network and your connection).

I think what MS has done is quite acceptable, given the number of trojans uot there that are DoS'ing and spamming like crazy. Trojans that are on the systems often because of user stupidity rather than an insecure OS. As long as it is possible to actually write such a 'driver' (I think there is a different name for it, but I can't remmeber).

Re:Privileges anyone?

[Anonymous Coward]

you must never casually run Windows with Administrator privileges.

PLEASE tell this to the executive staff at every fortune 500 company.

those knobs DEMAND that they run as admins, then their subordinates demand it and so on... so the poor lowly IT manager get's reamed because the CTO can not install elf bowling because of security reasons.

until we stop installing stupidity in the executive staff of corperations, running without admin priv's on windows is not an option.

Re:Ulterior motives

[Anonymous Coward]

Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Actually, I think we're seeing the maturation of a "corral the wagons" paranoia in Microsoft's culture. Lacking the ability to push any serious innovation internally (let's be serious, most of Microsoft's innovations during the past 20 years were brought in through acquisitions or copycat development ala VMS for NT, liberal borrowing from OS/2, Apple and Mach, etc). Now that antitrust severely limits acquisition growth, Microsoft is facing the same threat that broke Worldcom. Unable to make significant acquisitions, unable to meet growth internally, and now unable to cook the books like Worldcom, Microsoft's certain to get very defensive as the pressures heat up.

I thought I saw the beginnings of this phenomenon in 1998 at the IPv6 summit, where Microsoft's techs at the conference were explaining their implementation at first with great pride, only to be somewhat ashamed at how much they hadn't followed the specification very well, had numerous bugs and compatibility issues, and were clearly well behind everyone else. Nearly every other operating system had a much more mature implementation. (How long did that IPv6 stack remain a beta too?)

Amazingly, Microsoft is now attempting to patent IPv6 [zdnet.com] through a copy-cat specification (as was discussed on slashdot [slashdot.org]). Somehow it's not amusing when the kid who was not very successful in his participation in the group assignment decides to take exclusive credit for the group's effort.

So now Microsoft is blaming IPv4's engineering (when just like IPv6, everyone else seemed to understand and master the assignment EXCEPT Microsoft)?

As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?

MS Windows Server 2003 also has buggy TCP/IP

[spadadot]

I wrote an article about a very serious problem related to Windows Server 2003 TCP/IP.

Here's a quote : "Trying to set up a Windows Media streaming server to stream high-quality videos, I came across what I can now call a TCP/IP bug in Windows Server 2003 (Standard Edition). In some (not unusual) situations, the server simply cannot use all available bandwidth between itself and the client.
[...]
Eventually, I came to accept the idea that Windows Server 2003, an OS designed for server tasks, is not able to fill a 2Mbit/s ADSL connection. Yes I know it sounds incredible but I've been looking without success for another conclusion for the past 3 months."

Read the full technical explanation and see what Microsoft has to say about it : Microsoft Windows Server 2003 Buggy TCP/IP ? [dariospagnolo.org]

Re:A wise decision

[NoMoreNicksLeft]

Set my girlfriend up with a non-admin account. So, I end up having to install all her software for her... except at the time, things like ICQ simply wouldn't run right, even when installed by admin and ran as user. Many of those have changed, many haven't. Still too many dumb apps and games that won't run with anything less, even if you did manage to install them.

What I really need, is a firefox theme that looks like IE, and a desktop theme that looks like XP. She'd never know the difference. (and when wine fails to run the dumb shareware games she tries to install, I'd be like "They must not have programmed them very well, I can't make them work!".)

Re:Hammer, meet nail.

[Anonymous Coward]

Microsoft is clearly trying to shift the blame from their dain-bramaged design to TCP/IP.

No, they're not. They're trying to limit the damage someone who's hacked a windows box can do by taking away something dangerous 99% of people don't need. Windows boxes will always be hacked, same as any other OS.

Most people don't understand...

[Anonymous Coward]

I'm all for standards compliance and the ability for an OS (Windows) to offer full functionality in this area...

But, until you've been hit with a 4GBit DDOS attack coming from 20,000 unsecured Windows boxes who are spoofing their IP's, you truly don't know how bad this is.

This functionality should be available in an update the user must manually download. Anyone who needs nmap will be have to download it.

On a side note, there's a better solution to the DDoS problem - ISP's should prevent spoofed packets from leaving their networks.

The Metro of netoworking protocols

[SuperKendall]

Yes, the path becomes clear...

Abandon the industry standard for VMs (Java) and roll your own (.Net).

Abandon the industry standard for portable documents (PDF) and roll your own (Metro).

Abandon the industry standard for networking (TCP/IP) and roll your own (???).

Each sounds more improbable than the last. Yet the first one has happened, the second is going to happen, and thus the third seems much less improbable than it would have otherwise.

Bad Logic

[Master of Transhuman]

People who are saying the "average" user doesn't "need" raw sockets while saying that the hacker who does will use another OS ANYWAY are obviously missing the point.

Why bother disabling something that's part of a standard when it will have no effect on either the average user or the hacker?

MS is saying here that if the "average" user had raw sockets, they could program DoS code? I don't think that's gonna happen.

All disabling sockets has done is inconvenience nmap users - who just happen to be sys admins running security scans on their networks from their workstations.

Maybe MS doesn't want them to be able to run nmap? Like maybe they might find out how insecure their systems are?

Re:Hammer, meet nail.

[cirisme]

The brain damaged part has nothing to do with TCP/IP, because their implementation has nothing to do with security.

Seriously? You really think it's their brain damaged TCP/IP implementation that's at fault? Think again. It may be bad, but giving every program access to raw sockets is a bit silly considering how easy it is to get programs into Windows. But this is a good move, a better one would to have been to make it so it's not as simple to get untrusted programs running in Windows but I digress.

Something is wrong, alright

[ajs318]

The various BSD flavours support raw sockets. So does Solaris, and even Linux for that matter.

The difference with the Unix-like systems is that ordinary users don't get to poke about with dangerous stuff.

The real point is that Windows software has for too long depended on the assumption that the user has full unfettered access to every resource on the computer -- an assumption which had to cease to be true when Windows became network-aware, because in a networked environment some things are properly restricted. Yet for the best part of ten years, Windows continued to run without privilege separation; and application programmers took advantage of that, creating code which turned out to be fundamentally broken.

Face it, the bathwater is minging and the baby is dead -- there is nothing worth saving in the whole sorry mess. Whether bad water killed the baby, the dead baby made the water worse, or the two are unconnected, isn't really important right now. What is important is to get rid of them both, scrub out the bathtub and start again.

Of course, if you're going to switch to a new version of Windows -- which would have to be totally incompatible with all that sloppily-written software needing root access for no good reason -- then that would be about as big a change as switching to some other operating system. That must worry Microsoft .....

Re:Baby, meet bathwater.

[Slashcrap]

Quoted from there is basically. If you want to use hand-crafted TCP/UDP packets over a raw IP connection, you must enable the Internet Connection Firewall.

I was about to reply pointing out that you had obviously meant to say, "disable the Firewall".

Then I read the Knowledgebase article.

God, that's retarded. The firewall doesn't do jack shit to block outgoing traffic anyway. Why the hell should it be safer to allow raw sockets when it's on?

Re:Responding to Steve Gibson

[Bryson]

And he is wrong.

To be clear: The security problem is that the net routs any
packets it can, and some TCP/IP stacks will choke upon
*receiving* (a flood of) bad packets. Trying to make it
difficult to *send* those packets from Windows is essentially
useless.

Removing raw socket support from an operation system is a
trivial, bogus attempt to hide the problem without fixing it. A
root-compromised system can send raw packets no matter what the
vendor implements.

There are two reasonable places at which to resist these denial-
of-service attack: At the hosts, we can tolerate bogus-packet-
floods with things like SYN-cookies or random-early-drop; in
the routing infrastructure, we could halt floods of hostile
messages from reaching their destinations.

Microsoft's approach here is nonsense. If an attacker takes
control of a system, he can send from it any packets he wants.

--
--Bryan

Security is an Illusion (and a bolt-on hack)

[Proudrooster]

What's the fuss? So RAW sockets aren't available in user mode. That will keep infected PC's from DDoS'ing the universe (temporarily), until the virus/spyware writers exploit holes in the O/S to escalate their priveledges.

MS is just temporarily making exploiting a machine harder, but it will ultimately be futile and lead to even more nefarious and hostile virus/worm/spyware applications. This is a bandaid at best.

Windows is architected so poorly from a security standpoint, that it's probably time to just start over. Security in Windows has always been a "bolt-on" hack. And just remember, no matter what you do, Security is an Illusion.

Is it time for developers at SlashDot provide an interface similar to GMAIL so that I don't have to put HTML tags in my comments?

The problem lies somewhere else

[MemoryDragon]

In a system which grants admin priviledges to every user of course raw sockets can be dangerous. But the problem is less raw sockets, the problem is more the system itself which uses it.

Re:Baby, meet bathwater.

[dougmc]

The limitations of IPV4 have nothing to do with Zombies.

That's not quite true. Many (most?) zombies and other forms of malware out there that are used to DDoS remote sites take advantage of the limitations of IPv4 (mostly the ease of forging your source IP address) to hide the true sources of the attack.

Re:Baby, meet bathwater.

[shird]

This 'fix' was only just introduced in SP2. Most of those attacks are likely to be from infected machines that aren't patched up - and therefore aren't running SP2. So you cannot really draw the conclusion that its not helping.

Pushing more people towards Linux

[Anonymous Coward]

I work for a company that sells a high-end network security scanning product. We have been dealing with this XP issue now for almost 2 years, and we are not the only ones who have complained to Microsoft. We have pushed our complaints as far through the channels as we can. Microsoft isn't listening.

Their response is: buy Windows Server 2003 if you want raw sockets. We asked them if there was any guarantee that they would not break the raw sockets feature in 2003, and they would not give us that guarantee. Besides, Windows Server 2003 ships with a lot of stuff we would have to disable to make the box even remotely secure.

Our CEO even registered a complaint with Microsoft, saying "We pay to use your software and you are hurting our business and hurting our customers and costing us money with this change. And you have heard our complaints and you are ignoring them." Microsoft responded that they would pass our criticism up the chain, and that's the last we heard.

That's why it irritates me to read in the article that Microsoft has had "little negative feedback" on this issue. I'm sure we're not the only paying customer of Microsoft that has been affected. And they are not telling the truth when they say that "the only thing affected by this change is fingerprinting software": port scanning is affected too.

So we have started recommending that our customers use the Linux version of our product. Now Microsoft is losing hundreds of thousands of dollars of revenue per quarter just from our company.

Re:A wise decision

[shird]

and when wine fails to run the dumb shareware games she tries to install. I'd be like "They must not have programmed them very well, I can't make them work

Why don't you just say that when things like shitty ICQ fail to run correctly? Afterall, in this case it actually *is* the fault of the programmers of the application, unlike the 'shareware windows games running under Linux' case you described.

Re:Hammer, meet nail.

[RealProgrammer]

I think you misunderstood the GP post. It's XP in general that's brain-damaged, not the XP TCP/IP stack.

Microsoft is trying to blame the design of TCP/IP instead of the design of Windows. Everybody else makes it work; why can't they?

Re:Privileges anyone?

[0racle]

Its almost irrelevent how good you you think you are, if you can't run Windows unprivleged you don't understand it. Personally, if I were looking to hire you, and I found you running as an administrator for no good reason, you'd never get hired no matter how good of a track record you have. Of course, I don't run a business so that point is irrelevent. Sacrificing good practices for an iota of convinience is exactly why Windows security is so poor out of the box.

Re:Steve "Ahab" Gibson

[Anonymous Coward]

Microsoft agrees with him because this is an easier excuse than trying to fix Windows so not everyone website's active-X control has admin privileges.

The real solution to the problem isn't breaking networking functionality depending on if you bought the cheap or expensive version of the OS.

The real solution would be to restrict raw sockets to require Administrator/root privileges, and make it harder for the averages Outlook attachment to get root privileges.

Microsoft, on the other hand, sees this as an excuse to not fix Outlook and Internet Explorer, and instead sell more of the expensive version.

Re:Baby, meet bathwater.

[hedora]

I see this as a three pronged approach by Microsoft.

• Take a new, innovative direction in security. In the long run, they can cripple windows until it cannot be useful enough for a virus/work author to target. (If you are an end user, see the next point.)
• Microsoft understands that some "enterprise" applications like nmap or ping require a modern operating system. Therefore, maybe a special "enterprise' version of XP (with all the functionality of Windows XP SP1) is in the works. It will only cost a 'little' more than XP Pro. Maybe they'll use the average of the price of XP Pro and 2003 server...
• If everyone signs their code with an MS approved key, the code that results will be non-malicious and bug free. (Look at ActiveX!) Code in the kernel runs faster. (Especially since it bypasses the .NET VM!) Therefore, application developers can simply write at kernel level. This has the added benifit of being really, really, hard to get right. We all know that virus authors are complete idiots, and professional software developers are willing to jump through arbitrarily high hoops to deal with arbitrary bugs/limitations in Windows, so there is no downside to further obfuscating it's API's.

By extrapolating this reasoning over the next few years, we can see that other dangerous operations will be moved into the kernel. For instance, preventing user-space code from writing files in binary mode will prevent malicious third party software from writing invalid application data. (This way, the terrorists that wrote Open Office will not be able to crash Office XP any more...this also kills off polymorphic viruses that spool the outgoing versions of themselves to disk!)

Finally, they can set all of C:\Proram Files and C:\Windows read only, unless you write your installer as a kernel level driver. This will further protect the system from malicious applications.

This combined with a few hundred ill-advised random hacks will lock down the dangerous administrator accout. If any customer complaints are generated, they'll simply have the default user run everyting in a cooperative-multitasking, in-kernel setting. It will be like Windows 3.0, but secure.

Maybe they'd be better off if they moved away from this idea that pushing application code into the kernel is a good idea...

Re:News Flash: Butter is good on toast!

[Deathlizard]

True, but you can make it very difficult to change it.

For example, you can make it an addon in "Add/remove Programs" like they do with UPNP. that way, in most cases you would need to put the Windows XP CD into the machine in order to install open Raw Sockets.

Yes the malware could include the files to install Unrestriced Raw sockets, but if the files to enable Raw Sockets are protected and restriced correctly it would be dfficult for any program other than Windows to modify them.

Re:News Flash: Butter is good on toast!

[Anonymous Coward]

Interesting that M$ sees fit to lecture us on the dangers of raw sockets now, given their prior stand on the issue.

I think the key to their change in attitude can be found in TFA:

MS Blast did this by using raw sockets to launch a huge TCP SYN attack against Microsoft

Microsoft has done this time and time again; suggest a new feature, get told by the community that such a feature could be misused by black hats, say "Oh no, nobody could ever do that!" and release it anyway! Only when they get their noses rubbed in it do they rethink anything.

From the same article:

It also pointed out that "writing and installing kernel-mode code is vastly more complicated" than using an existing raw socket feature, and that if malware did make it into the kernel of a Windows machine, the user would have more serious concerns than just SYN attacks launched from their machines.

They just pointed out their next bit of idiocy that will bite them in the ass! And it is really the same damned issue!

What's really at fault here is Microsoft's lame security model in the OS itself! Windows is easy to infect with malicious code and malicious code runs with full privileges. That's bad design.

The problem is not with raw sockets: OpenBSD, Mac OS X, FreeBSD, NetBSD and all the various Linux flavours support it. None of them are responsible for all the damned exploitation packets I see at my firewall!

responding to an A.C...

[bmajik]

Raw sockets have a use when you want to implement your own IGMP/ICMP packet.

Sure. Average home users do nothing but write their own protocols using raw sockets.

If i suggested or said that nobody has a use for raw sockets, i misspoke or you misunderstood. The _average_ user only suffers from raw socket support, because it makes thier machine a more desirable target for 0wnage.

for the people that legimately need raw sockets, they're smart enough to figure out how to get them.

"we don't want to admit we were wrong because then those 200 million people would know what really crappy software we sell". If Microsoft made a mistake then fix it.

Well, pick your argument. Should raw sockets be in or out? Was it a mistake to ship it with them in or not?

Our "mistake" was shipping an operating system that suffered from remote root exploits. This mistake, compounded with the need to keep home users running as admin, and also with us shipping a fully functional TCP/IP stack, allows for an unpatched xp machine to easily be turned into a botnet member. That was a big problem for us, our customers, and the internet at large. We can't ship an operating system that does what it needs to do yet has _zero_ security bugs ever discovered over its lifecycle. We don't know how. If you do, or you know somebody that does, we'll hire them. For whatever money they want.

One of the core tenets of security is defense in depth. We know that eventually someone will break into a windows machine. When they get there, we want it to be harder for them to turn it into a botnet drone/zombie. In the future we'll hopefully get away from running-as-admin which will further raise the bar.

Put some of that ill gotten gain to use and fix the problem the "Right Way"

I said we were working on doing just that, and that running as non-admin almost made it into WinXP. Unfortuneately, all those people out there with badly written software (some of it by us, probably) running on windows expect it to still work. We couldn't get everything sorted out in the Windows XP time frame. It's been a source of non-stop work and the story for longhorn will be better but i dont know to what degree (i.e. it may not be all the way fixed).

A kernel that can be patched and have its own hooks intercepted by malicious software is the problem.

Show me a kernel in use on home computers that doesn't suffer from this.

Which department are you in, Public Relations or Marketing?

Testing, actually :) As many defects as you find in MS software, beleive me, there are plenty that never make it to you.

Re:Baby, meet bathwater. tsarkon reports

[dougmc]

I have no idea why ISPs don't do this

Because it doesn't really help them except for helping them be a good Internet member.

When you set up proper egress filtering on your network, you make it harder for your network to be used to attack other networks -- at the very least, they can't forge their addresses to appear to come from other ISPs anymore. But it doesn't make your network any less vulnerable to attacks.

Yes, everybody should do it. But since there's no real benefit to doing it beyond knowing that you're doing `the right thing', many ISPs don't do it. Also, doing egress filtering can break a few legitimate applications such as dual homing, requiring some further configuration.

I'm not saying this is right or wrong -- just saying why everybody doesn't do it.

Re:News Flash: Butter is good on toast!

[Deathlizard]

Even if the OS was designed Correctly, it would get hacked.

Lets say they had a full security model designed from the ground up to completely protect Administrator. Lets say that on a default install it made you a user account instead of admin. lets go even as far as everything you install is installed on your account only and that simply erasing your profile removes everything you ever done with that profile on the machine.

All it's going to take to get that machine hacked is one single Privilage Esclation exploit. It doesn't matter if it's local or remote, or what you have to do to exploit it, if it there it's over.

Don't Believe me, ask Kevin Mitnick. He's a prime example of how to get into a machine using Social Engineering. He understood that the machine wasn't the weakeast link in the chain but the person behind the keyboard was, and it's really easy to fool that person to do whatever you want them to do because most people dont know (or care) what they are doing.

It would be trivial for someone to create an executible file that can exploit said root vulnerability, send it to John Q Luser and poof, his box is now the hackers box. How do you think sobig got on so many machines? All it is is an attached file that someone opens. If no one opened the file their wouldn't be such a huge oubreak of it. Doing the same thing with a rootkit instead of a virus would be just as trivial.

And if you think it can't happen to linux or OSX or whatnot, think again. both of those OS's have or had local and global exploits this year alone, and it's a safe bet that there are a lot of unpatched machines out there, but in any case I can almost bet you could make a program for any of those OS's, and if it asked for the root password to install it and the person really wanted it, they would type the password in and it's over anyway. So if 10 Year old Billy really wants that new "Shoot the kitten out of the cannon" game that just came out on adware4freesearch.com, he will do anything to install it, even if it exploits root and formats your hard drive if the kitten breaks the 1000 YD Barrier

The only true way that this would ever be stopped is if every user ran in a True VM environment (Like VMWare) that was totally seperate from the host os and had a disposable operating environment independent of the user's profile, which would be erased once the user shut down or logged off, and even then, they could be doing something malicious for the time they are logged in.